Bare-minimum rights for Office 365 Migration Account

%3CLINGO-SUB%20id%3D%22lingo-sub-1384833%22%20slang%3D%22en-US%22%3EBare-minimum%20rights%20for%20Office%20365%20Migration%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1384833%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%3EWe%20have%20an%20account%20(Office%20365%20Migration%20User)%20which%20is%20used%20by%20Exchange%20and%20Exchange%20Online%20to%20do%20mailbox%20migrations.%26nbsp%3B%20However%20this%20account%20seems%20to%20have%20every%20admin%20permission%20in%20existence--which%20seems%20to%20be%20a%20bit%20much%20for%20what%20it%20does.%3C%2FSPAN%3E%3CBR%20%2F%3E%3CBR%20%2F%3E%3CSPAN%3ECan%20you%20please%20advise%20and%20determine%20exactly%20what%20level%20of%20permissions%20this%20account%20should%20have%3F%26nbsp%3B%20Do%20I%20have%20any%20clarifications%20may%20need%20for%20each%20group%20members%3F%20To%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%3Ereduce%20as%20much%20as%20possible%20this%20user's%20rights%20to.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CEM%3E%3CSTRONG%3EGet-ADPrincipalGroupMembership%20-Identity%20O365MigUser%20%7C%20select%20Name%3C%2FSTRONG%3E%3C%2FEM%3E%3C%2FP%3E%3CP%3EName%3CBR%20%2F%3E----%3CBR%20%2F%3EDomain%20Users%3CBR%20%2F%3EExchange%20Servers%3CBR%20%2F%3EExchange%20Organization%20Administrators%3CBR%20%2F%3EExchange%20Public%20Folder%20Administrators%3CBR%20%2F%3EExchange%20Recipient%20Administrators%3CBR%20%2F%3EExchange%20View-Only%20Administrators%3CBR%20%2F%3EExchange%20Trusted%20Subsystem%3CBR%20%2F%3EExchange%20All%20Hosted%20Organizations%3CBR%20%2F%3EExchange%20Windows%20Permissions%3CBR%20%2F%3EMigration%20Admin%3CBR%20%2F%3EDomain%20Admins%3CBR%20%2F%3EEnterprise%20Admins%3CBR%20%2F%3EExchange%20Domain%20Servers%3CBR%20%2F%3EExchange%20Admins%3CBR%20%2F%3EExchange%20Install%20Domain%20Servers%3CBR%20%2F%3EExchange%20Services%3CBR%20%2F%3EExchange%20Enterprise%20Servers%3CBR%20%2F%3ECSUserAdministrator%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1384833%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EMigration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EOffice%20365%20Groups%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1395041%22%20slang%3D%22en-US%22%3ERe%3A%20Bare-minimum%20rights%20for%20Office%20365%20Migration%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1395041%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F665683%22%20target%3D%22_blank%22%3E%40HungNguyen142112%3C%2FA%3E%26nbsp%3BHere%20is%20the%20article%20that%20lists%20the%20permissions%20required%20for%20least%20privileges%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fpermissions%2Ffeature-permissions%2Frecipient-permissions%3Fredirectedfrom%3DMSDN%26amp%3Bview%3Dexchserver-2019%23mailbox-move-and-migration-permissions%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2FExchange%2Fpermissions%2Ffeature-permissions%2Frecipient-permissions%3Fredirectedfrom%3DMSDN%26amp%3Bview%3Dexchserver-2019%23mailbox-move-and-migration-permissions%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1407560%22%20slang%3D%22en-US%22%3ERe%3A%20Bare-minimum%20rights%20for%20Office%20365%20Migration%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1407560%22%20slang%3D%22en-US%22%3E%3CP%3Ethank%20you%20-%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5941%22%20target%3D%22_blank%22%3E%40Joe%20Stocker%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBut%20can%20you%20please%20advise%20more%20details%20about%20that%2C%20we%20saw%20many%20reference%20link%20inside%20this%20article%20and%20would%20not%20find%20my%20answer%20herein%2C%20unfortunately.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1409694%22%20slang%3D%22en-US%22%3ERe%3A%20Bare-minimum%20rights%20for%20Office%20365%20Migration%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1409694%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F665683%22%20target%3D%22_blank%22%3E%40HungNguyen142112%3C%2FA%3E%26nbsp%3Bsee%20attached%20detailed%20instructions%20for%20creating%20least%20privilege%20migration%20accounts%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1430250%22%20slang%3D%22en-US%22%3ERe%3A%20Bare-minimum%20rights%20for%20Office%20365%20Migration%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1430250%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F5941%22%20target%3D%22_blank%22%3E%40Joe%20Stocker%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat's%20great.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20am%20reading%20through%20your%20guide.%20Hopefully%20can%20help%20me%20out.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20a%20lot.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1454950%22%20slang%3D%22en-US%22%3ERe%3A%20Bare-minimum%20rights%20for%20Office%20365%20Migration%20Account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1454950%22%20slang%3D%22en-US%22%3EJust%20checking%20in%20to%20see%20if%20this%20was%20able%20to%20solve%20your%20issue%3F%3C%2FLINGO-BODY%3E
Highlighted
New Contributor

Hi everyone,

 

We have an account (Office 365 Migration User) which is used by Exchange and Exchange Online to do mailbox migrations.  However this account seems to have every admin permission in existence--which seems to be a bit much for what it does.

Can you please advise and determine exactly what level of permissions this account should have?  Do I have any clarifications may need for each group members? To reduce as much as possible this user's rights to.

 

Get-ADPrincipalGroupMembership -Identity O365MigUser | select Name

Name
----
Domain Users
Exchange Servers
Exchange Organization Administrators
Exchange Public Folder Administrators
Exchange Recipient Administrators
Exchange View-Only Administrators
Exchange Trusted Subsystem
Exchange All Hosted Organizations
Exchange Windows Permissions
Migration Admin
Domain Admins
Enterprise Admins
Exchange Domain Servers
Exchange Admins
Exchange Install Domain Servers
Exchange Services
Exchange Enterprise Servers
CSUserAdministrator

5 Replies
Highlighted
Highlighted

thank you - @Joe Stocker 

 

But can you please advise more details about that, we saw many reference link inside this article and would not find my answer herein, unfortunately.

Highlighted

@HungNguyen142112 see attached detailed instructions for creating least privilege migration accounts

Highlighted

@Joe Stocker 

 

That's great.

 

I am reading through your guide. Hopefully can help me out.

 

Thanks a lot.

Highlighted
Just checking in to see if this was able to solve your issue?